Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.

+

The [[EnCase]] forensics suite uses a proprietary file format to store sets of known hashes called the '''EnCase hash file format'''. The format stores a set of [[MD5]] hashes and [[metadata]] about the set as a whole. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. In particular, the filename corresponding to each hash is not stored.

Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:

Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:

Line 10:

Line 10:

The hashes begin at offset 0x480 in the file.

The hashes begin at offset 0x480 in the file.

−

−

−

A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):

A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):

−

'''Offset 0x0000 '''

'''Offset 0x0000 '''

Line 21:

Line 17:

A header that consists of the following 16 bytes:

A header that consists of the following 16 bytes:

<pre>48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00</pre>

<pre>48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00</pre>

−

'''Offset 0x0010'''

'''Offset 0x0010'''

Line 31:

Line 26:

'''Offset 0x0014'''

'''Offset 0x0014'''

−

The range from 0x0014 to 0x0457 is filled by zero-bytes. The purpose of this area is unknown.

+

The range from 0x0014 to 0x0407 is filled by zero-bytes. The purpose of this area is unknown.

+

+

+

+

'''Offset 0x0408'''

+

HashSet: The text that EnCase shows in its column "Hash Set". The maximum string length is 39 characters. Characters are stored in Unicode. (''Based on hash file form EnCase v. 6.17'')

Line 64:

Line 64:

* [[EnCase]]

* [[EnCase]]

−

[[Category:Forensics File Format]]

+

[[Category:Forensics File Formats]]

Latest revision as of 19:19, 17 December 2010

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The EnCase forensics suite uses a proprietary file format to store sets of known hashes called the EnCase hash file format. The format stores a set of MD5 hashes and metadata about the set as a whole. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. In particular, the filename corresponding to each hash is not stored.

Version 3 of EnCase used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:

48 41 53 48 0d 0a ff 00

In ASCII, this looks like HASH followed by a newline.

The hashes begin at offset 0x480 in the file.

A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):

Offset 0x0000

A header that consists of the following 16 bytes:

48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00

Offset 0x0010

Count: The number of MD5 sums contained in this file, written as a 4 byte integer in Intel litle endian format (i.e. least significant byte first).

Offset 0x0014

The range from 0x0014 to 0x0407 is filled by zero-bytes. The purpose of this area is unknown.

Offset 0x0408

HashSet: The text that EnCase shows in its column "Hash Set". The maximum string length is 39 characters. Characters are stored in Unicode. (Based on hash file form EnCase v. 6.17)

Offset 0x0458

Category: The text that Encase shows in its column "category". The maximum string length is 19 characters. Each character is written as a 2-byte-Unicode-number. Examples:

The latin letter A is represented by the 2 bytes

41 00

The cyrillic letter Д is represented by the 2 bytes

14 04

Again, Intel little endian format is used. The unused space is filled up by zero-bytes.

Offset 0x047E

Two zero-bytes.

Offset 0x0480

Start of the hash entries. Each entry occupies 18 bytes: The hash value itself (16 bytes) followed by 2 zero-bytes. The next entry follows immediately.